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Abstract — This paper presents a prepare-and-measure scheme 
using iV-dimensional quantum particles as information carriers 
where N is a prime power. One of the key ingredients used 
to resist eavesdropping in this scheme is to depolarize all Pauli 
errors introduced to the quantum information carriers. Using 
the Shor-Preskill-type argument, we prove that this scheme is 
unconditionally secure against all attacks allowed by the laws of 
quantum physics. For N = 2 n > 2, each information carrier can 
be replaced by n entangled qubits. In this case, there is a family 
of eavesdropping attacks on which no unentangled-qubit-based 
prepare-and-measure quantum key distribution scheme known 
to date can generate a provably secure key. In contrast, under 
the same family of attacks, our entangled-qubit-based scheme re- 
mains secure whenever 2" > 4. This demonstrates the advantage 
of using entangled particles as information carriers and of using 
depolarization of Pauli errors to combat eavesdropping attacks 
more drastic than those that can be handled by unentangled- 
qubit-based prepare-and-measure schemes. 

Index Terms — Depolarization, entanglement purification, local 
quantum operation, Pauli error, phase error correction, quantum 
key distribution, Shor-Preskill proof, two-way classical commu- 
nication, unconditional security 

I. Introduction 

KEY distribution is the art of sharing a secret key between 
two cooperative players Alice and Bob in the presence 
of an eavesdropper Eve. If Alice and Bob distribute their key 
by exchanging classical messages only, Eve may at least in 
principle wiretap their conversations without being caught. So, 
given unlimited computational resources, Eve can crack the 
secret key. In contrast, in any attempt to distinguish between 
two non-orthogonal states, information gain is only possible 
at the expense of disturbing the state [1]. Therefore, if Alice 
and Bob distribute their secret key by sending non-orthogonal 
quantum signals, any eavesdropping attempt will almost surely 
affect their signal fidelity. Consequently, a carefully designed 
quantum key distribution (QKD) scheme allows Alice and 
Bob to accurately determine the quantum error rate, which in 
turn reflects the eavesdropping rate. If the estimated quantum 
error rate is too high, Alice and Bob abort the scheme and 
start all over again. Otherwise, they perform certain privacy 
amplification procedures to distill out the final key [2], [3], 
[4], [5], [6]. It is, therefore, conceivable that a provably 
secure QKD scheme exists even when Eve has unlimited 
computational power. 

With this belief in mind, researchers proposed many QKD 
schemes [6]. These schemes differ in many ways such as 
the Hilbert space dimension of the quantum particles used, 
as well as the states and bases Alice and Bob prepared and 
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measured. The first QKD scheme, commonly known as BB84, 
was invented by Bennett and Brassard [7]. In BB84, Alice 
randomly and independently prepares each qubit in one of 
the following four states: |0), |1) and (|0) ± |l>)/\/2, and 
sends them to Bob. After receiving the qubits, Bob randomly 
and independently measures each qubit in either {|0),|1)} 
or {(|0) ± |l))/-\/2} bases. In short, BB84 is an experimen- 
tally feasible prepare-and-measure (PM) scheme involving the 
transfer of unentangled qubits [7]. Later, BruB introduced 
another experimentally feasible PM scheme known as the 
six-state scheme [8]. In this scheme, Alice randomly and 
independently prepares each qubit in one of the following 
six states: |0), |1>, (|0) ± |1))/V2 and (|0) ± i\l))/V2; and 
Bob measures each of them randomly and independently in 
one of the following three bases: {|0), |1)}, {(|0) ± |l))/v^} 
and {(|0) ±i|l))/v2}. Although the six-state scheme is more 
complex and generates a key less efficiently, BruB found that 
it tolerates higher noise level than BB84 if Eve attacks each 
qubit individually [8]. In addition to qubit-based schemes such 
as BB84 and the six-state scheme, a number of PM QKD 
schemes involving higher dimensional or continuous systems 
have been proposed [9], [10], [11], [12], [13], [14], [15], 
[16], [17]. Most importantly, compared with qubit-based PM 
schemes, studies showed that many PM schemes involving 
higher dimensional systems can generate secure keys when a 
higher fraction of particles is eavesdropped individually [13], 
[14], [15], [16], [18]. 

Instead of using PM schemes, Alice and Bob may explicitly 
use their shared entanglement to create a secret key. The first 
such entanglement-based (EB) QKD scheme was proposed by 
Ekert [19]. This scheme makes use of the fact that measuring a 
sing let state (|01) - |10))/V2 along a common axis produces 
a pair of anti-correlated random bits. Consequently, a common 
key can be established provided that Alice and Bob share 
singlets through a quantum communication channel. To ensure 
that the fidelity of the shared singlets is high, Alice and Bob 
check if certain Bell's inequalities are maximally violated 
in a randomly selected subset of their shared particles [19]. 
Comparing with PM schemes, a typical EB scheme generates a 
key more efficiently but is harder to implement experimentally. 

Are these QKD schemes really secure? Is it true that the 
six-state scheme tolerates higher error level than BB84? The 
answers to these questions turn out to be highly non-trivial. 
Recall that the all powerful Eve may choose to attack the 
transmitted qubits collectively by applying a unitary operator 
to entangle these qubits with her quantum particles. In this 
situation most of our familiar tools such as classical probability 
theory do not apply to the resultant highly entangled non- 
classical state. These make rigorous cryptanalysis of BB84, 



2 



the six-state and Ekert schemes extremely difficult. 

In spite of these difficulties, air-tight security proofs against 
all possible eavesdropping attacks of BB84, the six-state and 
Ekert schemes have been discovered. Rigorous proofs of QKD 
schemes with better error tolerance have also been found. 
Mayers [4] and Biham et al. [20] eventually proved the 
security of BB84 against all kinds of attacks allowed by the 
known laws of quantum physics. In particular, Mayers showed 
that in BB84 a provably secure key can be generated whenever 
the bit error rate is less than about 7% [4]. (A precise definition 
of bit error rate can be found in Def. [5] in Subsection IIV-AI 
Moreover, we emphasize that, unless otherwise stated, all 
provably secure error rates quoted in this paper are provable 
lower bounds. A QKD scheme may generate a secure key at a 
higher error rate although a rigorous proof has not been found.) 
Along a different line, Lo and Chau [3] proved the security 
of an EB QKD scheme, which is similar to the Ekert scheme, 
that applies up to 1/3 bit error rate by means of a random 
hashing technique based on entanglement purification [21]. 
Their security proof is conceptually simple and appealing. 
Nevertheless, their scheme requires quantum computers and 
hence is not practical yet. By ingeniously combining the 
essence of the Mayers and Lo-Chau proofs, Shor and Preskill 
gave a security proof of BB84 that applies up to 11.0% bit 
error rate [22]. This is a marked improvement over the 7% 
bit error tolerance rate in Mayers' proof. Since then, the 
Shor-Preskill proof became a blueprint for the cryptanalysis 
of many QKD schemes. For instance, Lo [23] as well as 
Gottesman and Lo [24] extended it to cover the six-state QKD 
scheme. At the same time, the work of Gottesman and Lo 
also demonstrates that careful use of local quantum operation 
plus two-way classical communication (LOCC2) increases the 
error tolerance rate of QKD. Furthermore, they found that the 
six-state scheme tolerates a higher bit error rate than BB84 
because the six-state scheme gives better estimates for the 
three Pauli error rates [24] . In search of an unentangled-qubit- 
based (UQB) QKD scheme that tolerates higher bit error rate, 
Chau recently discovered an adaptive entanglement purifica- 
tion procedure inspired by the technique used by Gottesman 
and Lo in Ref. [24]. He further gave a Shor-Preskill-based 
proof showing that this adaptive entanglement purification 
procedure allows the six-state scheme to generate a provably 
secure key up to a bit error rate of (5 — \/5)/10 ~ 27.6% 
[25], making it the most error-tolerant PM scheme involving 
the transfer of unentangled qubits to date. 

Unlike various UQB QKD schemes, very little cryptanalysis 
against the most general type of eavesdropping attack on a 
QKD scheme involving the transfer of higher dimensional 
quantum systems or entangled qubits has been performed. The 
only relevant work to date seems to be the earlier version of 
this work [17]. In that manuscript, an unconditionally secure 
QKD scheme that generalized the six-state scheme by using 
conjugation to cyclically permute O(N) kinds of quantum er- 
rors that can occur in the iV-dimensional quantum information 
carriers was reported. Moreover, the set of preparation and 
measurement bases used is mutually unbiased [17]. Probably 
because Pauli errors are not depolarized when N > 2, the error 
tolerance capability of that scheme is not particularly high 



under the most general type of attack when 2 < N < 16. More 
importantly, that scheme does not conclusively demonstrate the 
superiority of using entangled qubits to combat Eve [17]. In 
contrast, almost all cryptanalysis suggests that QKD schemes 
involving higher dimensional systems are more error-tolerant 
under individual particle attack [13], [14], [15], [18]. It is, 
therefore, instructive to find an unconditionally secure PM 
QKD scheme based on entangled qubits that stands up to 
more drastic eavesdropping attacks than all known UQB PM 
schemes known to date. 

In this paper, we analyze the security and error tolerance 
capability of a PM QKD scheme involving the transmission of 
higher dimensional quantum particles or entangled qubits. In 
fact, this scheme makes use of iV-dimensional quantum infor- 
mation carriers prepared and measured randomly in N(N+ 1) 
different bases. (In the cases of N = 2, 3, 5, 7, 11, the number 
of bases used can be reduced to (N + 1).) Such a preparation 
and measurement procedure depolarizes all Pauli errors in the 
transmitted signal. This greatly restricts the form of errors 
occurring in the quantum signals and makes error estimation 
effective; hence, its error tolerance rate is high. Nonetheless, 
the high error tolerance rate comes with a price, namely, that 
the efficiency of the scheme drops. 

This paper is organized as follows: We first review the 
general assumptions on the capabilities of Alice, Bob and 
Eve, as well as a precisely stated security requirement for 
a general QKD scheme in Section [n] Then we introduce an 
EB QKD scheme involving the transmission of iV-dimensional 
quantum systems, where N is a prime power, in Section ITTT1 
and prove its security against the most general eavesdropping 
attack in Section HV1 By standard Shor and Preskill reduction 
argument, we arrive at the provably secure PM scheme using 
unentangled iV-dimensional quantum particles in Section [V] 
Since one may use n possibly entangled qubits to represent an 
A^-dimensional quantum state whenever N = 2™, we obtain 
an unconditionally secure entangled-qubit-based (EQB) PM 
QKD scheme. (See Section [V] for a discussion of a subtle 
point in constructing this EQB PM QKD scheme. Moreover, 
we emphasize that the term EQB means that the qubits used to 
transfer information between Alice and Bob are entangled. In 
contrast, the term EB means that entanglement shared between 
Alice and Bob is explicitly used to generate the secret key. 
Thus, an EQB scheme may not be an EB scheme.) This EQB 
PM QKD scheme offers a definite advantage over all currently 
known UQB ones used to combat Eve. Specifically, whenever 
the most error-tolerant UQB PM QKD scheme known to date 
(namely, the one introduced by Chau in Ref. [25]) can generate 
a provably secure key under an eavesdropping attack, this 
EQB scheme can also generate an equally secure key for any 
2™ > 2 under the same attack. Furthermore, there is a family 
of eavesdropping attacks that creates a bit error rate too high 
for Chau's scheme in Ref. [25] to generate a provably secure 
key. In contrast, the same family of attacks does not prevent 
this EQB PM scheme from producing a secure key whenever 
2™ > 4. This observation convincingly demonstrates that 
using entangled particles as information carriers can increase 
error tolerance in QKD. Lastly, we give a brief summary in 
Section ED 
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II. General Features And Security Requirements 
For Quantum Key Distribution 

In QKD, we assume that Alice and Bob have access to two 
communication channels. The first one is an insecure noisy 
quantum channel. The other one is an unjammable noiseless 
authenticated classical channel in which everyone, including 
Eve, can listen to, but cannot alter, the content passing through 
it. We also assume that Alice and Bob have complete control 
over their own apparatus. Everything else for the unjammable 
classical channel may be manipulated by the all powerful Eve. 
We further make the most pessimistic assumption that Eve is 
capable of performing any operation in her controlled territory 
that is allowed by the known laws of quantum physics [5], [6], 

Given an unjammable classical channel and an insecure 
quantum channel, a QKD scheme consists of three stages [2]. 
The first is the signal preparation and transmission stage in 
which quantum signals are prepared and exchanged between 
Alice and Bob. The second is the signal quality test stage in 
which a subset of the exchanged quantum signals is measured 
in order to estimate the eavesdropping rate in the quantum 
channel. The final phase is the signal privacy amplification 
stage in which a carefully designed privacy amplification 
procedure is performed to distill out an almost perfectly secure 
key. 

No QKD scheme can be 100% secure as Eve may be lucky 
enough to guess the preparation or measurement bases for each 
quantum state correctly. Hence, it is more reasonable to de- 
mand that the mutual information between Eve's measurement 
results after eavesdropping and the final secret key is less than 
an arbitrary but fixed small positive number. Hence we adopt 
the following definition of security. 

Definition 1 (Based on Lo and Chau [3]): With the above 
assumptions on the unlimited computational power of Eve, 
a QKD scheme is said to be unconditionally secure with 
security parameters (e p , ej) provided that whenever Eve has a 
cheating strategy that passes the signal quality control test with 
probability greater than e„, the mutual information between 
Eve's measurement results from eavesdropping and the final 
secret key is less than e/. 

III. An Entanglement-Based Quantum Key 
Distribution Scheme 

In this section, we generalize the six-state scheme in a new 
way. In Subsection IIII-AI we first identify each element in 
SL(2, N), the special linear group of 2 x 2 matrices over 
the finite field GF(N), with a distinct unitary operator in 
U(N). It turns out that all Pauli errors occurring in the 
transmitted particles can be depolarized by conjugating each 
transmitted particle by a randomly and independently picked 
unitary operator to be constructed. Then, in Subsection IIII-BI 
we devise an EB QKD scheme based on this set of unitary 
operators. 

A. Construction Of The Unitary Operator T(M) 
We begin with the following definitions. 



Definition 2 (Ashikhmin and Knill [26]): Let a G GF(N) 
where N = p n with p being a prime. We define the unitary 
operators X a and Z a acting on an A^-dimensional Hilbert 
space by 

X a \b) = \a + b) (1) 



and 



Z a \b)= X a(b)\b) = <J*'*)\b) 



(2) 



where \a is an additive character of the finite field GF(N), 
ui p is a primitive pth root of unity and Tr(a) = a + a p + a p + 
■ ■ ■ + a p " 1 is the absolute trace of a G GF(N). Note that 
the arithmetic inside the state ket and in the exponent of w p 
is performed in the finite field GF(N). 

It is easy to see from Definition |2] that the set of all Pauli 
errors acting on an A^-dimensional particle {X a Zb : a, b G 
GF(N)} spans the set of all possible linear operators acting 
on that particle over C. (Unless otherwise stated, all linear 
operators discussed in this paper are endomorphisms.) Besides, 
X a and Zb follow the algebra 



X„Xh — XhX n 



Z n Zh — ZhZ„ 



X, 



a+bj 



and 



ZbX a 



I' 



X a Zb 



(3) 



(4) 



(5) 



factor by conjugation. Specifically, let M = 



for all a,b G GF(N), where arithmetic in the subscripts is 
performed in GF(N). 

One way to permute quantum errors is to construct a unitary 
operator that maps X a Zb to X aa+ b/3Z a s+bj modulo a phase 

" a (3 " 
S 7 

SL(2, N) where N — p n is a prime power. We look for a 
unitary operator T(M) satisfying 

T(M)~ 1 X a Zb T(M) = Lof/'^X aa+b pZ a5+ b^ (6) 

for all a, b G GF(N), where the arithmetic in the subscripts 
is performed in GF(N) and the factor LJp ^ G C satisfies 
| w /m(o,6)| = L When the matrix M g SL{2,N) is clearly 
known to the readers, we shall simply denote T(M) by T 
and f M by /. 

The choice of T is not unique if it exists. This is because 
e %B X c Zt£T also permutes quantum errors modulo a phase 
factor for all 9 G R and c, d G GF(N). (However, the phase 
/(a, b) depends on the values c and d.) 

Let us temporarily drop the invertibility requirement for T. 
Applying the left hand side of Eq. to the zero vector, we 
have X a Z b T0 = J p {a > h) TX aa+b pZ aS+lyy Q = ^ (a ' b) T0 for 
all a, b G GF(N). Thus, TO = and hence the linear operator 
T is well-defined (although it may not be invertible). 

In contrast, an invertible T satisfying Eq. l|6} does 
not exist in general. To see this, we use Eqs. Q-© to 
manipulate the expression X a+c Zb+dT. On one hand, 

Xa+cZb+dT 



, ,f(a+c,b+d)rp Y y 
W P 1 A (a+c)a+(b+d)l3 A (a+c)S+(b+d)-i- 



On the other hand, X a+c Zb+dT 



-Tr(6c; 



/(c,<i)-Tr(& C ) 
p 



XnZhTX, 



cot +d/3^cS+d-y 



X a ZbX c ZdT 

f(a,b)+f(c,d) 



UJ 



P 
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Tr([aS+b'y][ca+df3]—bc) Ty <? 

Up 1 ■^(a+c)a+(b+d)l3^(a+c)&+{b+d)i- 

Thus, the above two ways of expressing X a+c Z b+ dT agree 
for all a,b,c,d £ GF(N) is a necessary condition for the 
existence of T _1 ; otherwise 7 1 is not injective as it maps a 
non-zero vector to the zero vector. 

It is tedious but straight-forward to check that the phase fac- 
tor given in Eq. Q, together with the three phase conventions 
(l8t — ( 1 1 Oi below satisfy the necessary condition for the existence 
of T -1 stated in the above paragraph. More importantly, we 
prove in Theorem ^ that the phase factor /j\/(a, b) defined in 
this way makes T(M) invertible for all M £ SL(2, N). We 
begin by writing down this particular phase factor fi\j(a,b) 
below: 

f M {a,b) = ^Ti([a 2 aS + b 2 f3-f})+Ti(abf38) + 

A p2 Tr(^ g^jlaidjaS + hbjP-f]) (7) 

i>j 

for all a,b £ GF(N). Note that in Eq. (7}, a = £™ =1 fliS; 
and b — Ym=i b i9i where {g%, g2, ■ ■ ■ , g n } is a fixed basis of 
GF(N) over the field GF(p) and a l ,b l e GF(p). Moreover, 
A P 2 = 1 if p = 2 and A P 2 — if p ^ 2 in the above equation 
is the Kronecker delta. 

The phase conventions are chosen as follows. When p > 2 
and hence N is odd, 2 is invertible in GF(N). Consequently, 
the phase Lul M< ' a ' b * > may be chosen from pth roots of unity. 
Following this convention requires 

f M (a, b) e Z/pZ for any a, be GF(N) if 2 \ N. 



(8) 



In contrast, when p = 2 and hence N is even, 2 is not invertible 
in GF(N). Consequently, /m(o, b) may be integral or half- 
integral; and ujp M< " a ' b ' > £ {±l,±i}. In this case, we use the 
convention 



Tx{g 2 j a 2 a5)/2 



and 



ui. 



1 if Tr(g]aja5) = 0, 
i if Ti(g 2 a 2 aS) = 1, 



1 ifTr( 5 ?6f/3 7 ) = 0, 



ifTr( 5 |&|/3 7 ) = l, 



(9) 



(10) 



for all cij, bj £ GF(p), where j = 1, 2, . . . , n. 

We explain why the last term in Eq. Q is required. Recall 
that the identity Tr(af + a))/2 + Tr^a,) = Tr([a, + a 3 } 2 )/2 
holds only for p > 2. In contrast, Tr(af + a 2 ) = Tr([ai + a,j] 2 ) 
for p = 2. So, we cannot use the first identity to absorb the 
last term in Eq. Q into the first term when p = 2. 

Lemma 1: Suppose T{M) is a non-zero linear operator 
obeying Eqs. f7l- (ll0> as well as the equation X a Z b T(M) = 
J p M{a ' b) T{M) X aa+bl3 Z aS+b7 for all a, b £ GF(N). Then 
T(M) is invertible. Besides, T(M) is unitary after a proper 
scaling. Specifically, T(M) is unitary if and only if its operator 
norm satisfies ||T(M)|| = 1. 

Proof: Clearly, T also satisfies the equation 

Z-aS-b-fX-aa-bpT 
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-f(o,b) 



I' 



T^Z_ b X^ a 

From Eqs. (TTI — JlOi . we know 

X a Z b TT^ = Lul^'^TXaa+bpZaS+b^T* 1 

/(a,b)-Tr([aa+6/3] [05+67])^ 7 f yt T \ 

W P 1 ^-aS-b^-aa-bf) 1 



that 



f(a,b)+f(~a-b)~Tr(a 2 a8+b 2 f3~/)-2Tr(abl3S) rr r r i v ry 
LOp 11 'A a Z b — 

TT^X a Z b for all a, b £ GF(N). By the same argument, 
X a Z b T^T = T^TX a Z b for all a, 6 S GF(N). Thus TTt 
and T^T are non-zero operators belonging to the centralizer 
of {Ea,b A abX a Z b : A ab £ C}. In other words, TT 1 * and 
T^T are non-zero constant multiples of the identity operator. 
Hence, T is invertible. Obviously, the invertible operator T is 
unitary if and only if ||T|| = 1. ■ 



, g n } be a fixed basis of GF(N) 
~ a (i ' 



Theorem 1: Let {(71,52, 
over GF(p). For any M 

unitary operator T(M) satisfying Eqs. d6t— J 1 01 exists. A 
possible choice of T(M) is 
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£ SL(2, N), the 



T(M) = 



jydim(colspan(M-/)) /2 



E 



Tr( VM (a,b)) 



[a b]Gcolspan(M— J) 



.5 Tr (VM(o,b)) 



(ID 



for some 9 £ M, with colspan(M — /) being the span of the 
columns of (M — I). In the above equation, the functions 

ip M , <p' M ■ GF(N) x GF(N) — ► GF(N) are given by 

(fM(a,b) 

= b[aa(a, b) + /3b(a, b)} — ab(a, b) — a5a(a, b) 2 
- a(7 - l)a(a, b)b(a, b) - /3( 7 - l)b(a, b) 2 
+ A p2 ^2 9i9j [aS5,i (a, b)dj (a, 6) 

+ 0Tbi(a,b)bj(a,b)] 



and 



(12) 
(13) 



^m(«, b ) = a8a(a, b) 2 + f3jb(a, b) 2 

respectively. In Eqs. O and a(a,b),b(a,b) £ GF(N) 
and di(a, b), bi(a, b) £ GF(p) are the solutions of the system 
of equations 



^2g t ai{a,b) = d(a,b), 



i=l 



^2gib~i(a,b) 
1=1 



b(a, b) 



and 



a-l (3 




a(a, b) 




a 
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b{a,b) 




b 



(14) 



(15) 



(16) 



Proof: We show the existence of T by explicitly con- 
structing it. We write T — J2i jeGFiNY^-ijXiZj for some 
Aij £ C. Substituting this T into Eq. (|6j and equating the 
coefficient of X a Z b , we obtain 

A ab 



aJ /(t,j)+Tt([ia+j/3]{6-t<5-i[7-l]}-o3) x 



(17) 



*-a — i{ct — 1)— jP,b— i5— i(7— 1) 

for all a,b,i,j £ GF(N). Using Eqs. (T7I— fTOt. it is tedious 
but straight-forward to check that Eq. dl7> consists of N 2 , 
TV (TV — 1) and (TV 2 — 1) independent equations when (M — I) 
is of rank 0, 1 and 2 respectively. 

In what follows, we only consider the case det(M— I) 7^ 0. 
The other cases can be proven in a similar manner. Since 
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AT 


M 


1 [M ) 


2 




1 

1 1 




- (I + iX 1 +iZ 1 +X 1 Z 1 ) 


3 




1 1 




a, 6=0 


3 




1 2 

2 2 




1 £ ^.-A MXaZt 
a, 6=0 


4 




1 

1 u 




1 ^ ^_ 1 ^Tr(^[a+6])/2+Tr(< J 2 [a+6+6 1 6 2 ]) XaZi) 
4 a,6£GF(4) 



TABLE I 

The operator T for a few M's in the case of N = 2, 3 and 4. 
Note that u e GF(i) in the last row of the table satisfies 

a; 2 + 1 = 0. 



(M — I) is invertible, dim(colspan(Af — /)) = 2. Besides, the 
solution of d(a,b),b(a,b) G GF(N) and cii(a,b),bi(a,b) E 
GF(p) in the system of Eqs. (I14i — J16l > exists and is unique 
for any given a, b E GF(N). Hence, by choosing these 
a(a,b),b(a,b),a,i(a,b),bi(a,b), we may use the (iV 2 — 1) 
independent equations taken from Eq. dl7> to relate every A a b 
to Aoo for all (a, b) ^ (0,0). In this way, we conclude that 
every A a & is proportional to Aoo- Besides, all |A a b|'s are equal. 
Consequently, from Lemma [2 the unitarity of T(M) implies 
that | Aoo | = l/N. Substituting a(a, b), b(a, b) into Eqs. 
(flOl and (HTl . we arrive at Eqs. fTTl-llBl, ■ 

For the purpose of illustration, the unitary operators T(M)'s 
for a few M's computed by Eqs. (fSb — J 1 3I > are listed in TableQ] 
Incidentally, the unitary operator T(M) listed in Table U for 
N = 2 is, up to a global phase, the same as the one used by 
Lo in his security proof of the six-state scheme in Ref. [23]. 
Furthermore, it is shown in Theorem [8] in the Appendix that 
the first three operators listed in Tableware of great importance 
in the construction of QKD schemes for N — 2,3. 

The unitary operator T(M) stated in Theorem [2 depends 
on the matrix M E SL(2, N). So we may regard T as a map 

from SL{2, N) to U(N). Let Mi = ^ & E SL(2, N) 

for i — 1,2. Suppose further that N is odd. From Eq. Q, 
it follows that /miM 2 (g, &) = fM 1 (act2 + b/3 2 ,aS 2 + b~f 2 ) + 
f M2 (a, b) for all a, b E GF(N). In other words, T(M X M 2 ) = 
T(M 2 )T{M 1 ). Hence the map T : SL(2,N) — > U(N) 
defines a faithful transposed representation of SL(2, N) for 
all odd N. As SL(2, N) is generated by two elements for any 
prime power N [27], Alice and Bob may apply any T(M) if 
they can apply the two specific unitary operators corresponding 
to the generators of SL(2,N). In contrast, when N is even, 
T is not a group representation of SL(2, N). Fortunately, 
readers will find out in Section [H]] that the security of all 
the QKD schemes reported in this paper do not depend on 
the phase /i\/(a, b). Therefore, in practice, Alice and Bob 
may replace T(M\M 2 ■ ■ ■ Mj~) used in the QKD schemes 
reported in this paper by T{M k )T{M k _ 1 ) ■ ■ ■ T(Mi) in which 
Mj's are chosen from the two generators of SL(2, N). (Note 
that the unitary operator defined in this way may depend 
on the decomposition of a matrix in SL(2,N) into factors 



of M^s. However, the unitary operator defined by any such 
decomposition will work equally well.) 

B. An Entanglement-Based Quantum Key Distribution Scheme 



EB QKD Scheme A 

1) Let the Hilbert space dimension of each quantum 
particle involved in this scheme be a prime power. Alice 
prepares L 1 quantum particle pairs in the state 
J2ieGF(N) [ify/VN- She randomly and independently 
applies a unitary transformation T(M) £ T[SL(2, N)] 
to the second particle in each pair. She keeps the first 
particle and sends the second in each pair to Bob. Bob 
acknowledges the receipt of these particles and then 
applies a randomly and independently picked T(M')~ 1 
to each received particle. Now, Alice and Bob publicly 
reveal their unitary transformations applied to each parti- 
cle. A shared pair is then kept and is said to be in the set 
S M if Alice and Bob have applied T(M) and T(M)" 1 
to the second particle of the shared pair respectively. 
Thus in the absence of noise and Eve, each pair of shared 
particles kept by Alice and Bob should be in the state 

E i£ GF(N) \h)/Vn. 

2) Alice and Bob estimate the channel error rate by sacrific- 
ing a few particle pairs. Specifically, they randomly pick 
0([N + l] 2 log{Af[A^ 2 - l]/e}/6 2 N 2 ) pairs from each 
of the N(N 2 — 1) sets Sm an d measure each particle of 
the pair in the {\i) : i E GF(N)} basis, namely the 
standard basis. They publicly announce and compare 
their measurement results. In this way, they know the 
estimated channel error rate to within S with probability 
at least (1 — e). (A detailed proof of this claim can be 
found in Ref. [2]. A brief outline of the proof will also 
be given in Subsection I1V-BI for handy reference.) If the 
channel error rate is too high, they abort the scheme and 
start all over again. 

3) Alice and Bob perform the following privacy amplifi- 
cation procedure. (It will be shown in Section II VI that 
step |3a| below reduces errors of the form X a Zf, with 
a 7^ at the expense of increasing errors of the form Z c 
with c 7^ 0. In contrast, step [3b] below reduces errors of 
the form X a Zb with b ^ at the expense of increasing 
errors of the form X c with c ^ 0. Applying steps [3a] 
and [3b] in turn is an effective way to reduce all kinds 
of quantum errors provided that the error rate is not too 
high.) 

a) Alice and Bob apply the entanglement purifica- 
tion procedure by two-way classical communi- 
cation (LOCC2 EP) similar to the one reported 
in Refs. [21], [28]. Specifically, Alice and Bob 
randomly group their remaining quantum particles 
in tetrads where each tetrad consists of two pairs 
shared by Alice and Bob in Step^ Alice randomly 
picks one of the two particles in her share of each 
tetrad as the control register and the other as the 
target. She applies the following unitary operation 
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to the control and target registers: 

|*)control ® |j) target 1 > K)control ® |j — *)target, (18) 

where the subtraction is performed in the finite 
field GF(N). Bob applies the same unitary trans- 
formation to his corresponding share of particles 
in the tetrad. Then, they publicly announce the 
measurement results of their target registers in 
the standard basis. They keep their control regis- 
ters only when the measurement results of their 
corresponding target registers agree. They repeat 
the above LOCC2 EP procedure until there is an 
integer r > such that a single application of 
step |3p will bring the signal quantum error rate of 
the resultant particles down to less than ej /£ 2 for 
an arbitrary but fixed security parameter ej > 0, 
where rl is the number of remaining pairs they 
share currently. They abort the scheme either when 
r is greater than the number of remaining quantum 
pairs they possess or when they have used up all 
their quantum particles in this procedure, 
b) They apply the majority vote phase error correction 
(PEC) procedure introduced by Gottesman and Lo 
[24]. Specifically, Alice and Bob randomly divide 
the resultant particles into sets each containing 
r pairs of particles shared by Alice and Bob. 
Alice and Bob jointly apply the [r, 1, r]jy phase 
error correction procedure to their corresponding 
shares of r particles in each set and retain their 
phase error corrected quantum particles. At this 
point, Alice and Bob should share I almost per- 
fect pairs X)ieGF(N) I**) /V^V with fidelity at least 
(1 — ei/£). By measuring their shared pairs in the 
standard basis, Alice and Bob obtain their common 
key. More importantly, Eve's information on this 
common key is less than the security parameter ej. 
(Proof of this claim can be found in Theorem [3] in 
Subsection IIV-CI below.) 

One may simplify Scheme A by picking T(M)'s from 
T[H], where H is a proper subgroup of SL(2,N) whose 
number of elements divides (A^ 2 — 1). Theorem [8] in the 
Appendix tells us that the subgroup H exists if and only if 
N = 2, 3, 5, 7, 11 and \H\ = N 2 - 1. From now on, we use 
the symbol G to denote either the entire group SL(2,N) or 
the order (N 2 - 1) subgroup H of SL(2, N). 

In the case N = 2 and G equals the cyclic group of three 
elements, Scheme A is a variation of the six-state scheme 
introduced by Chau in Ref. [25]. The key difference is that, 
unlike the former one, the present scheme does not make use 
of Calderbank-Shor-Steane quantum code after PEC. 

Lemma [5] in Subsection IIV-CI shows that all Pauli errors 
in the quantum signal right after step ^ i n Scheme A are 
depolarized. Furthermore, Theorem [8] in the Appendix shows 
that the same conclusion applies when Alice and Bob pick M 
from a subgroup H of SL{2, N) of order (N 2 - 1). 



IV. Cryptanalysis Of The Entanglement-Based 
Quantum Key Distribution Scheme 

In this section, we present a detailed unconditional security 
proof of Scheme A in the limit of a large number of quantum 
particles L transmitted. We also investigate the maximum error 
tolerance rate of Scheme A against the most general type of 
eavesdropping attack allowed by the laws of quantum physics. 
With suitable modifications, the security proof reported here 
can be extended to the case of a small finite L. Nevertheless, 
working in the limit of large L makes the asymptotic error 
tolerance rate analysis easier. 

The remainder of this section is organized as follows. In 
Subsection IIV-AI we define various error rate measures and 
discuss how to fairly compare error tolerance capabilities 
between different QKD schemes. Then in Subsection IIV-BI 
we briefly explain why a reliable upper bound of the channel 
error can be obtained by randomly testing only a small subset 
of quantum particles in step|2]of Scheme A. Finally in Subsec- 
tion |^^| we prove the security of the privacy amplification 
procedure in step[5]of Scheme A and analyze its error tolerance 
rate. This will complete the proof of unconditional security for 
EB Scheme A. 

A. Fair Comparison Of Error Tolerance Capability And Var- 
ious Measures Of Error Rates 

Definition 3: Recall that Alice prepares L particle pairs 
each in the state YlieGF(N) l")/ 1 /^ an( l randomly applies 
T(M) E T[G] to the second particle in each pair. We denote 
the resultant (pure) state of the pairs by (S>^=i \4>j)- Then, she 
sends one particle in each pair through an insecure quantum 
channel to Bob; and upon receipt, Bob randomly applies 
T(M')~ 1 to his share of the pair. The channel quantum 
error rate in this situation is defined as the marginal error 
rate of the measurement results if Alice and Bob were to 
make an hypothetical measurement on the jth shared quantum 
particle pair in the basis {/ ® X a Z b \<f)j) : a,b S GF(N)} 
for all j. In other words, the channel quantum error rate 
equals 1/L times the expectation value of the cardinality of the 
set { j : hypothetical measurement of the jth pair equals I ® 
X a Z b \<f>j) with (a,b) ^ (0,0)}. The channel stan- 
dard basis measurement error rate is defined as 1/L 
times the expectation value of the cardinality of the set 
{j : hypothetical measurement of the jth pair equals I ® 
X a Zb\4>j) with a 7^ 0}. The next two definitions concern 
only those quantum particle pairs retained by Alice and 
Bob in UmsG ^m- (That is, those that Alice and Bob have 
applied T{M) and T(M)~ l to the second particle of the 
shared pair for some M S G respectively.) In the absence 
of noise and Eve, all such particle pairs should be in the 
state J2 t £GF(N) \H)/vN. The signal quantum error rate 
(or quantum error rate (QER) for short) in this situation 
is defined as the expectation value of the proportion of 
particle pairs in [J M Sm whose measurement result in the 
basis {E ieG F(N) K> ® X a Z b \i)/VN : a,b e GF(N)} 
equals Y<ieGF(N) \i)®X a Z b \i)/y/N for some (a, b) ^ (0,0). 
The signal standard basis measurement error rate (or 
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standard basis measurement error rate (SBMER) for short) is 
defined as the expectation value of the proportion of particle 
pairs in \J M Sm whose measurement result in the basis 
{EieGF(AT)N) ®X a Z b \i)/^N : a,b E GF(N)} equals 
J2ieGF(N) \i)®XaZb\i)/VN for some a 7^ 0. In other words, 
SBMER measures the apparent error rate of the signal when 
Alice and Bob measure their respective shares of particles in 
the standard basis. In the special case of N = 2™, any standard 
basis measurement result can be bijectively mapped to an n-bit 
string. Thus, it makes sense to define the signal bit error rate 
(or bit error rate (BER) for short) as the marginal error rate of 
the n-bit string resulting from a standard basis measurement of 
the signal at the end of the signal preparation and transmission 
stage. 

Three important remarks are in place. First, SBMERs and 
BERs of QKD schemes using quantum particles of different 
dimensions as information carriers should never be compared 
directly. This is because the quantum communication channels 
used are different. In addition, the same eavesdropping strategy 
may lead to different error rates [13], [14], [15], [16], [18]. 
It appears that the only sensible situation in which it is 
meaningful compare the error tolerance capabilities of two 
QKD schemes is when the schemes are using the same 
quantum communication channel and are subjected to the 
same eavesdropping attack. Specifically, let Alice reversibly 
map every ^"-dimensional quantum state used in Scheme A 
into n possibly entangled p-dimensional quantum particles 
and send them through an insecure p-dimensional quantum 
particle communication channel to Bob. Moreover, since we 
assume that Alice and Bob do not have quantum storage 
capability, it is reasonable to require that Alice prepares and 
sends packets of n possibly entangled p-dimensional quantum 
particles one after another. In this way, Scheme A becomes an 
entangled-particle-based QKD scheme. More importantly, Eve 
may apply the same eavesdropping attack on the insecure p- 
dimensional quantum particle channel used by Alice and Bob 
irrespective of the value n. Thus, it is fair to compare the er- 
ror tolerance capability between two entangled-particle-based 
QKD schemes derived from Scheme A using p n - and p n - 
dimensional particles respectively against any eavesdropping 
attack on the p-dimensional quantum particle channel. 

Second, the BER defined above for N = 2™ with n > 1 
depends on the bijection used. Fortunately, in Subsection llV-CI 
readers will find that the BER for the QKD scheme reported 
in this paper is independent of this bijection. 

Third, Lemma [3] in Subsection IIV-CI and Theorem [8] in the 
Appendix show that Pauli errors that occurred in a collection 
of A^-dimensional quantum registers are depolarized if we 
conjugate each register by a randomly and independently 
picked T(M) £ T[G]. Furthermore, the channel quantum error 
rate is equal to the QER of the signal. Roughly speaking, QER 
refers to the rate of any quantum error (phase shift and/or spin 
flip) occurring in the pair EieGF(jV) I") /V^V shared by Alice 
and Bob. In contrast, the depolarization of Pauli errors implies 
that the channel standard basis measurement error rate does 
not equal the SBMER in general. 



B. Reliability Of The Error Rate Estimation 

In Scheme A, Alice and Bob keep only those particle pairs 
that are believed to be in the state YlieGFfN) \H)/yN at the 
end of stepIO Then, they measure some of them in the standard 
basis in the signal quality control test in step [21 More impor- 
tantly, since all the LOCC2 EP and PEC privacy amplification 
procedures in step [3] map standard basis to standard basis, we 
can imagine that the final standard basis measurements of their 
shared secret key were performed right at the beginning of 
step [5] In this way, any quantum eavesdropping strategy used 
by Eve is reduced to a classical probabilistic cheating strategy. 
In other words, for any quantum eavesdropping strategy, one 
can always find an equivalent Pauli attack that has the same 
probability of passing the signal quality control test in step 13 
and gives the same density matrix of the shared quantum 
particles just before the final standard basis measurement in 
step [3] Therefore, we need only to consider Pauli attack in the 
subsequent analysis [3]. 

Recall that in step |2] Alice and Bob do not care about 
the measurement result of an individual quantum register; 
they only care about the difference between the measurement 
outcome of Alice and the corresponding outcome of Bob. In 
other words, they apply the projection operator 

P a = \i,i + a)(i,i + a\ (19) 

iEGF(N) 

to each of the randomly selected quantum registers in the 
set UmgG^ m - The projection operator P a can be rewritten 
in a form involving Bell-like states as follows. Define |$ a &) 
to be the Bell-like state Y^ieGFlN)^) ® X a Z h \i)j\fN = 

SieGF(JV) w p \h i + a)/yfN. Then, P a can be rewritten 
as 

P a = J2 l*«&> (20) 

b£GF(N) 

Since every particle pair in Sm is subjected to T(M) and 
T(Af )~ 1 before and after passing through the insecure channel 
respectively, P a is a measure of whether an error of the form 
T(M)X a ZbT(M)~ 1 for some b e GF(N) has occurred in 
this pair. Recall that M E G is randomly and independently 
chosen for each pair. Moreover, such a choice is known to 
Eve after the second half of the particle pair has reached Bob. 
So, combined with Eqs. (|6j and ( I19> -( I20> . the signal quality 
control test in step [2] of Scheme A can be regarded as an 
effective random sampling test for the fidelity of the pairs as 
l*oo) = £ ieGF(JV) |M>/ViV. 

At this point, classical sampling theory can be used to esti- 
mate the quantum channel error and hence the eavesdropping 
rate of the classical probabilistic cheating strategy used by 
Eve, as well as the fidelity of the remaining pairs as |$oo)- 

Lemma 2 (Adapted from Lo, Chau and Ardehali [2]): 
Suppose that immediately after step [2 in Scheme A, Alice 
and Bob share Lm pairs of particles in the set Sm, namely, 
those particles that were conjugated by T(M). Suppose further 
that Alice and Bob randomly pick 0(log[l/e]/<5 2 ) < 0.01L M 
of the Lm pairs for testing in step |2] Define the estimated 
channel standard basis measurement error rate em to be the 
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portion of tested pairs whose measurement results obtained 
by Alice and Bob differ. Denote the channel standard basis 
measurement error rate for the set Sm by eu- Then, the 
probability that \&m ~ > <5 is of the order of e for any 
fixed 5 > 0. 

Proof: Using earlier discussions in this subsection, the 
problem depicted in this lemma is equivalent to a classical 
random sampling problem without replacement whose solution 
follows directly from Lemma 1 in Ref. [2]. ■ 

Lemma|2]assures that by randomly choosing 0(log[l /e]/S 2 ) 
out of Lm pairs to test, the unbiased estimator 8m cannot 
differ significantly from the actual channel standard basis 
measurement error rate ejv/- More importantly, the number 
of particle pairs they need to test is independent of Lm- 
Therefore, in the limit of large Lm (and hence large L), ran- 
domly testing a negligibly small portion of quantum particle 
pairs is sufficient for Alice and Bob to estimate the channel 
standard basis measurement error rate in the set Sm with high 
confidence [2]. In addition, the QER of the remaining untested 
particle pairs is the same as that of UmpG &m in the large L 
limit. 

Theorem 2: Let G denote the group SL(2, N) or its order 
(N 2 — 1) subgroup H reported in Theorem [8] Using the 
notation in Lemma[2] (N + 1) (ej./) /N is a reliable estimator 
of the upper bound of the QER, where (•) denotes the mean 
averaged over all M S G. Specifically, the probability that the 
QER exceeds (N + l)((e M ) + 5)/N is less than e\G\. 

Proof: Recall that Eve does not know the choice of 
unitary operators applied by Alice and Bob in step [2 in 
Scheme A. Consequently, by Lemma [3] in Subsection II V-CI or 
Theorem [8] in the Appendix, step ^ in Scheme A depolarizes 
Pauli errors of the quantum particles. That is to say, in the 
limit of a large L, the X a Z b error rate in the set Si is 
equal to that of T{M)- 1 X a Z b T(M) in the set S M for all 
M £ G. Among the T(M)- 1 X a Z b T(M) = u f p u{a ' h) X c Z d 
errors occurring in the set Sm, only those with c ^ can be 
recorded in step |2] Thus, the estimator for the QER equals 
(N 2 — 1) (eju) /N(N - 1) = (N + 1) (e M ) /N. This theorem 
now follows directly from Lemma |2] ■ 

To summarize, once the signal quality control test in step |2] 
of Scheme A is passed, Alice and Bob have high confidence 
(of at least (1 — e)) that the QER of the remaining untested 
particle pairs is small enough for the signal privacy amplifica- 
tion stage in step [3] to handle. Moreover, the estimation given 
in Theorem |2] is independent of the phase /m(oj^) use d by 
the unitary operator T(M). 

Before drawing a close to this subsection, we would like to 
point out that one can estimate the QER in a more aggressive 
way. Specifically, Alice and Bob do not only know whether the 
measurement results of each tested pair are equal, in fact they 
also know the difference between their measurement results 
in each tested pair. They may exploit this extra piece of 
information to better estimate the probability of X a Z b error 
in the signal for each a,b G GF(N). Such estimation helps 
them to devise tailor-made privacy amplification schemes that 
tackle the specific kind of error caused by channel noise and 



Eve. While this methodology will be useful in practical QKD, 
we shall not pursue this further here as the aim of this paper 
is the worst-case cryptanalysis in the limit of a large number 
of quantum particle transfers L. 

C. Security Of Privacy Amplification 

Definition 4: We denote the X a Z b error rate of the quantum 
particles shared by Alice and Bob just before step [3] in 
Scheme A by e a ^. When there is no possible confusion in 
the subscript, we shall write e a h instead of e a ,b- Similarly, we 
denote the X a Z b error rate of the resultant quantum particles 
shared by them after k rounds of LOCC2 EP by e^ p or e^ b EP . 
Suppose further that Alice and Bob perform PEC using the 
[r, 1, r]jv majority vote code after k rounds of LOCC2 EP. 
We denote the resultant X a Zi> error rate by e™f or e™ c . 

Lemma 3: Let G = SL(2, N). The signal quantum error 
suffered by quantum particle pairs in {J EeSL ( 2 n) can ^ e 
regarded as depolarized. In other words, the QER satisfies 

e y = 1 (21) 

i,jeGF(N) 

and 

e ab = e a , b , for all (a, 6), (a', b') ^ (0, 0). (22) 

Proof: Recall that Alice and Bob randomly and in- 
dependently apply T(M) and T(M')~ 1 to each transmitted 
quantum register. More importantly, their choices are unknown 
to Eve when the quantum particle is traveling in the insecure 
channel. Let £ be the quantum operation that Eve applies to the 
quantum particles in the set Uj\/<esl(2 n) ^m- (In other words, 
£ is a completely positive convex-linear map acting on the 
set of density matrices describing the quantum particle pairs 
to which Alice and Bob have applied T(M) and T(M)" 1 
respectively for some M £ SL(2,N). Moreover, < 
Tr(£ (p)) < 1 for any density matrix p.) After Alice and Bob 
have publicly announced their choices of quantum operations, 
every quantum particle pair in (J M Sm has an equal chance of 
having experienced [® 3 T(M 3 )^ 1 ]£[® J T(Mj)} where M 3 E 
SL(2, N). Note that the index j in the tensor product in the 
above expression runs over all particle pairs in (J M Sm- From 
the discussions in Subsection II V-BI we know that Eve's attack 
may be reduced to a classical probabilistic one. In other words, 
we may regard £ as a Pauli error operator. Since SL(2, N) 
is a group and the set {M G SL{2, N) : M[a b] 1 = [c dfj 
contains N elements for all [a b], [c d] ^ [0 0], we conclude 
from Eq. l|6) that the Pauli quantum error of the quantum 
particles in the set {J M esl(2 n) is depolarized. Hence, 
Eqs. J2 It and 1221 apply. ■ 

After establishing the initial conditions for the QER, we 
investigate the effect of LOCC2 EP on the QER. 

Lemma 4: In the limit of a large number of transmitted 
quantum registers, e^ p is given by 

fcEp 2~2c ,...,c 2k _ 2 e ac o ea Cl ■ ■ ■ eac 2k _ 2 e a ,b-c ~ Cl c 2k _ 2 

e ab ~~ ~ • 

2~2ieGF(N) yl2j<EGF(N) e ij) 

(23) 
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In particular, if e a f,'s are given by Eqs. (12 1 i and (I22> . then 



kEP _ [e 00 + (N - l)e i] 2 + (N - 1) (e 00 - e m f 



AT { [eoo + (JV - l)e 01 f +(N- l)N^el\ } ' 



2 2 

fcE p _ [e 00 + (N — l)e i] - (e 00 - e i) 

JV { [e o + {N - l)e Q1 f + (N - l)A 2fc e 2 * } 

for all b ^ and 



fcEP 
e ab 



N { [e 00 + (N - l)e 01 f + (N - l)A 2fc e^ } 



(24) 



(25) 



(26) 



for all a, be GF(N) with a ^ 0. 

Proof: Suppose that Bob's control and target registers 
experience X a Zb and X a >Zb> errors respectively. (In contrast, 
those retained by Alice are error-free as they never passed 
through the insecure noisy channel.) After applying the unitary 
operation in Eq. Jl 81 . the errors in the control and target 
registers become X a Zb+v and X a i- a Zb> respectively. 

Recall that the privacy amplification procedure in step [3] is 
performed irrespective of which set Sm the particle belongs 
to. So, in the limit of a large number of transmitted quantum 
registers, the covariance between probabilities of picking any 
two distinct quantum registers tends to zero. Likewise, the 
covariance between probabilities of picking any two distinct 
pairs of quantum registers also tends to zero. Hence, in this 
limit, the expectation value of the X a Zb error rate just after 
applying the unitary operation in Eq. Jl 8i can be computed 
by assuming that the error in every pair of control and target 
registers is independent. Moreover, the variance of the X a Zb 
error rate tends to zero in this limit. 

To show that Eq. (I23> is valid, let us recall that Alice and 
Bob keep their control registers only when the measurement 
results of their corresponding target registers agree. In other 
words, they keep a control register only when a = a'. Thus, 
once the control register in Bob's laboratory is kept, it will suf- 
fer an error XdZ c where d = a and c = b+b'. Therefore, in the 
limit of a large number of transmitted quantum registers, the 
number of quantum registers remaining after (k+1) rounds of 

LOCC2 EP is proportional to T,ieGF(N)iT,jeGF(N) e if P ) 2 - 
Similarly, the number of quantum registers suffering from 
X a Zb errors after (k+1) rounds of LOCC2 EP is proportional 
to X)ceGF(JV) e ac Fe a 6-c Furthermore, the two proportional- 
ity constants are the same. Therefore, 

E fcEP„fcEP 
c£GF(N) e ac c a,b-c 



(k+1) EP 
-ab 



E 



ieGF(N) 



„feEP 
j£GF(N) e ij 



(27) 



for all k £ N. Eq. ( I23> can then be proven by mathematical 
induction on k. (It is easier to use mathematical induction to 
prove the validity of the numerator in Eq. i23\ and then use 
Eq. (12 1 i to determine the denominator.) 

In particular, if the initial error rates e &'s are given by 
Eqs. J2 1 i and 1221 . then Eqs. (I24i — d26i can be proven by 
mathematical induction on k with the help of Eq. (I27> . ■ 



Lemma |4] generalizes a similar result for qubits [24], [25]. 
In fact, the effect of LOCC2 EP is to reduce errors of the 
form X a Zb with a ^ at the expense of possibly increasing 
errors of the form Z c with c ^ 0. We further remark that in 
the case where L is finite, e^ p is determined by solving the 
classical problem of randomly pairing A^ 2 kinds of balls in an 
urn containing 2r£ balls. Therefore, e*^ p is related to the so- 
called multivariate hypergeometric distribution whose theory 
is reviewed extensively in Ref. [29]. 

Lemma 5: In the limit of a large number of quantum 
particles transmitted from Alice to Bob, the X a Zb error rate 
after PEC e^ c using [r, 1, r]jv majority vote code satisfies 



E E e - c ^E E 



„fcEP 



(28) 



a^0b£GF{N) a^ObeGF(N) 

Moreover, if e a b's satisfy Eqs. (12 1 1 . i22i and eoo > eoi, then 

PEC 



E E e ab 
aeGF(N) b^O 

< (A-l)Jl- 



Af(e o - eoiY 



4 [e 00 + (N~ l)e 0: 



(29) 



as k — > oo. This inequality also holds if r depends on k. 

Proof: Recall that the parity check matrix of the [r, 1, r]jv 
majority vote code is 



-1 



(30) 



Therefore, after measuring the (phase) error syndrome, the 
Zb error stays with the control register whereas the X a error 
propagates from the control as well as all target registers to 
the resultant control quantum register [30]. Specifically, let the 
error in the ith quantum register be X^Z^ for i = 1, 2, . . . , r. 
Then, after measuring the error syndrome, the resultant error 
in the remaining control register equals X ai ^ y ar Zb x - Con- 
sequently, after PEC, the error in the remaining register is 

X ai ^ ^a r Zb where b is the majority of bi (i = 1,2,..., r). 

In other words, after PEC, spin flip error rates are increased 
by at most r times. Hence, Eq. d28l > holds. 

By the same argument used in Lemma @J in the limit of a 
large number of transferred quantum registers, the rate of any 
kind of phase error after PEC, EaeGF(N) E&^o e afc C ' satisfies 



E 



E e " c 



aeGF(N) 

< (N — 1) max{Pr (the number of registers suffering 
from error of the form XiZ\ is greater than or 
equal to those suffering from error of the form Xi 
when drawn from a random sample of r registers, 
given a fixed e 00 )}, (31) 

where the maximum is taken over all possible probabilities 
with different e a h's satisfying the constraints in Eqs. (12 1 1 
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and ( 122b . We denote the sum ^ Q 



k EP 

eGF(N) e ab 



by e 



k / p . Then, 

Zb ' 



aeGF(N) b#0 



PEC 
6 



< (iY-l)max{^(M(l 



fcEP 

e Z 



EP\r — s 



( e lf + e^ p ) s Pr(the number of registers suffering 
from error of the form XiZ\ is greater than or 
equal to those suffering from error of the from X$ 
when drawn from a random sample of s registers, 
given that these s registers are suffering from error 
of the form XiZf, for b = 0, 1, for a fixed eoo)} 

< (N - 1) max{£ Q (1 - e|f - e|f x 

s=0 ^ ' 



(e|f + e fc z f) S exp 



kEP\ 




= fcEP 



= feEP 



= fcEP 



(7V-l)max{{l-(e|f + e|f)x 

-2[l/2-e|f/(e|f+e|f)] 2 



< (iV - 1) max{ [1 - 2i(e|f 

2' 



- 1 

+ e 



}> 



= feEP 



= fcEP 



= fcEP 
'^1 / 



} 



(32) 



where i — ► 1 as fc — >■ oo. Note that we have used Eq. (1.2.5) in 
Ref. [31] to arrive at the second inequality above. (Eq. (1.2.5) 
is applicable because the assumption that eoo > eoi leads to 
e lf > e |f for a sufficiently large k.) It is straight-forward 
to check that Eq. d32i remains valid if r depends on k. 

Since e 00 > e i, (J2beGF(N) e ob) 2 = [e o + (A r -l)e i] 2 
is the dominant term in the common denominator of Eqs. i24\ - 
i26\ when k is sufficiently large, Eq. ( I29l > follows directly from 
Eqs. and 03- ■ 

The above theorem tells us that the effect of PEC is to 
reduce errors of the form X a Zb with b ^ at the expense of 
possibly increasing errors of the form X c with c ^ 0. For this 
reason, powerful signal privacy amplification procedures can 
be constructed by suitably combining LOCC2 EP and PEC. 

Now, we prove the unconditional security of Scheme A. 

Theorem 3: Let N = p n be a prime power, and let e p , ti 
and S be three arbitrarily small but fixed positive numbers. 
Define _ 

(N 2 - 1)(2JV + 1 - VE) 



oQER 



2iV(iV 2 + N - 1) 



(33) 



The EB QKD Scheme A involving the transfer of TV- 
dimensional quantum particles is unconditionally secure with 
security parameters (e p , ej) when the number of quantum 
register transfers L = L(e p , e/, 6) is sufficiently large. Specifi- 
cally, provided that Alice and Bob abort the scheme whenever 
the estimated QER in step [2] is greater than (e^ ER — S), the 
secret key generated by Alice and Bob is provably secure in the 
L — > oo limit. In fact, if Eve uses an eavesdropping strategy 



with at least e p chance of passing the signal quality test stage 
in step 13 the mutual information between Eve's measurement 
results after eavesdropping and the final secret key is less than 
e/. In this respect, Scheme A tolerates asymptotically up to a 
QER of e QER . 

Proof: By picking L > (N + 1) 2 \G\ \og{\G\/e p )/S 2 N 2 
and applying Lemma |2] and Theorem |2] we conclude that by 
testing 0([N + I} 2 log[ \G\/e p ]/S 2 N 2 ) pairs in each set S M , 
any eavesdropping strategy that causes a QER higher than e^ ER 
has less than e p chance of passing the signal quality test stage 
in step |3 of Scheme A. (Similarly, if the QER is less than 
^ e QER _ 2^ ft h as a t i eaS ]; (i _ 6p ) chance of passing step |2] 
As 5 can be chosen to be arbitrarily small, the signal quality 
test stage in step |2] of Scheme A is not overly conservative.) 

Now, suppose that Alice and Bob arrive at the signal privacy 
amplification stage in step|5]of Scheme A. Since L — > oo, the 
quantum particle pairs used in the signal quality test stage 
in step |2] do not affect the error rates e a b's of the remaining 
untested particle pairs. 

From the discussions in Subsection IIV-BI we only need to 
consider the case when Eve uses a classical cheating strategy. 
Hence, the initial error rates e a b's satisfy Eqs. (12 1 1 and d22> . 
After applying k rounds of LOCC2 EP, Alice and Bob may 
consider picking r used in the majority vote PEC to be 

e f [eoo + (jV-l)eoi] 2fc 
~ 2^-1)^2^ ' K } 

where I is the number of quantum particle pairs Alice and 
Bob share immediately after the PEC procedure in step [3jx 
Provided that eoo > eoi, m the k — * oo limit, r — > oo. So, 
from Eqs. J28I and i29\ in Lemma[5] the QER of the remaining 
quantum registers after PEC, e final , is upper-bounded by 



< 



e final 

| + (A-Dx 



exp 



-e/iY(e o - e i) 2 



8£(N-l)N 2k e 2, i [e 00 + (N- 
„finai < £i provided that 



l)eo: 



i2* 



^35) 



In other words, e" 

(eoo - e i) z > A^eoi [e o + [N - l)eoi] 
This condition is satisfied if and only if 

N 2 + 1 + {N 2 - 1)V5 

eoo > 



(36) 



(37) 



2N(N 2 + N- 1) 

It is easy to verify that the constraint in Eq. d37l is consistent 
with the assumption that eoo > e oi- Hence, provided that the 
initial QER satisfies 

^ {N 2 - 1)(2N+ 1 - 

^ 6ab < 2N(N 2 + N-1) 

(a,h)^(0,0) V ^ 



oQER 



(38) 



the fidelity of the £ quantum particle pairs shared between 
Alice and Bob immediately before they perform standard basis 
measurements to obtain their secret key is at least 1 — e final > 
1 — ej/l. By Footnote 28 in Ref. [3], the mutual information 
between Eve's final measurement result after eavesdropping 
and the final secret key is at most ej. Thus, provided Alice and 
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N 


Tolerable SBMER 


Tolerable BER 


2 


27.64% 


27.64% 


3 


43.31% 


N.A. 


4 


53.40% 


35.60% 


5 


60.44% 


N.A. 


7 


69.62% 


N.A. 


8 


72.78% 


41.59% 


9 


75.34% 


N.A. 


11 


79.25% 


N.A. 


13 


82.09% 


N.A. 


16 


85.14% 


45.41% 



TABLE II 

The tolerable SBMER and BER for Scheme A and hence also 
Schemes B and C for N < 16. As pointed out in the text, the 

VALUES OF SBMER AND BER SHOULD NOT BE COMPARED DIRECTLY. 



Bob abort the scheme if the estimated QER in step |2] exceeds 
( e QER _ ^ j-jjg secre t k e y generated is provably secure. That 
is to say, the scheme is unconditionally secure with security 
parameters (e p , ej). ■ 

A few remarks are in order. First, as Scheme A reduces any 
kind of eavesdropping attacks in the channel to a classical 
cheating strategy which in turn is reduced to depolarization 
of the quantum signal, the ratio of the QER to the SBMER 
is given by (N + 1) : N. From Theorem the maximum 
tolerable SBMER for Scheme A equals 



SBMER 



(A 2 - 1)(27Y + 1 - VE) 



(39) 

2(N + l)(N 2 + N - 1) V ; 

In addition, if p = 2, Lemma [3] implies that no matter what 
bijective map Alice and Bob use to convert their standard basis 
2"-dimensional quantum particle measurement results into an 
71-bit string, the probability that exactly i out of n consecutive 
measured bits are in error equals 2"e i(") for all < 
i < n. Consequently, the BER equals 2™eoi Yl7=o = 
2 2 ™~ 1 eoi; and the maximum tolerable BER for Scheme A is 
given by 

N(2N + 1 - V5) 



BER 



(40) 



4(A 2 + N - 1) ' 

We tabulate the tolerable SBMER and BER in Table UJ 
However, we must emphasize once again that according to the 
discussions in Subsection llV-AI we cannot deduce the relative 
error tolerance capability from Table ITT1 

Second, we study the tolerable error rate of Scheme A as a 
function of N. Table HTlshows that the maximum tolerable BER 
e BER f or TV = 2 is the same as the one obtained earlier by Chau 
in Ref. [25]. Additionally, e SBMER increases as N increases. 
In fact, the tolerable SBMER and BER tend to 100% and 
50% respectively as N — > oo. More precisely, as n — > oo, the 
tolerable BER for Scheme A using 2" -level quantum particles 
scales as « 1/2- (1 + ^/5)/2 n+2 . If TV is a prime power, 
e SBMER f or s cnem e A using A-level quantum particles scales 
as w 1 - (3 + y/E)/2N as N -> oo. On the other hand, the 
lemma below sets the upper limit for the tolerable SBMER 
for Scheme A. 

Lemma 6: The tolerable SBMER for Scheme A is upper- 
bounded by (N — l)/(Af + 1). In fact, this bound is set 



by the following interpret-and-resend strategy: for each N- 
dimensional particle in the insecure quantum channel, Eve 
randomly and independently picks M £ SL(2, N) and mea- 
sures the particle in the basis {T(M)\i) : i £ GF(N)}. Then, 
she records the measurement result and resends the measured 
particle to Bob. 

Proof: The proof follows the idea reported in Ref. [24]. 
Clearly, using this intercept-and-resend strategy, no quantum 
correlation between Alice and Bob can survive and hence no 
provably secure key can be distributed. Thus, this eavesdrop- 
ping strategy sets the upper bound for the tolerable SMBER 
and BER for Scheme A. If the quantum particle is prepared by 
Alice and measured by Eve in the same basis, that particle will 
suffer Z a error with equal probability for all a £ GF(N). As 
Scheme A depolarizes Pauli errors, we know that eoo induced 
by this eavesdropping strategy equals 1/N, Therefore, the 
SBMER for this strategy is [(1-1/A)/(A 2 -1)] x N(N-1) = 

(N-i)/(N + l). m 

Thus, the difference between the tolerable SBMER and its 
theoretical upper bound tends to zero in the limit of large N. 
So in this limit, the error tolerance capability of Scheme A 
approaches its maximally allowable value. 

Third, readers may wonder why Scheme A is highly error- 
tolerant especially when N is large. Every quantum cheating 
strategy can be reduced to a classical one. Furthermore, 
Lemma[3]tells us that Scheme A depolarizes the errors caused 
by any classical cheating strategy in the transmitted quantum 
signals. This greatly restricts the types of quantum errors 
we need to consider. The LOCC2 EP becomes a powerful 
tool to reduce spin errors at the expense of increasing phase 
errors. Furthermore, e^ p > e^ p for all b ^ provided that 
eoo > eoi- In other words, the dominant kind of phase error 
is having no phase error at all. Thus, the majority vote PEC 
procedure is effective in bringing down the phase error. This 
is the underlying reason why Scheme A is so powerful that, 
in the limit N -> oo, e SBMER _► \- . 

Fourth, the unconditional security proof in Theorem [3] does 
not depend on the phase /m(o, b) used in Eq. (|6). Recall from 
the discussions in Subsection IIII-AI that T : SL(2,2 n ) — > 
U(2 n ) is not a group representation. So, in practice, Alice 
and Bob may replace T(M\M2 ■ ■ ■ M&) used in Scheme A 
by T(M k )T(M k -i) ■ ■ ■ T{M\), in which the M,'s are chosen 
from the two generators of SL(2, 2 n ). 

Fifth, the privacy amplification performed in Scheme A is 
based entirely on entanglement purification and phase error 
correction. In fact, the key ingredient in reducing the QER 
used in the proof of Theorem[3]is the validity of the condition 
stated in Eq. i36\ . Nonetheless, there is no need to bring 
down the QER to the small security parameter ej. One may 
devise an equally secure scheme by following the adaptive 
procedure introduced by Chau in Ref. [25] instead. That is to 
say, Alice and Bob may switch to a concatenated Calderbank- 
Shor-Steane quantum code when the PEC brings down the 
QER to about 5%. The strategy of adding an extra step 
of quantum error correction towards the end of the privacy 
amplification procedure may increase the key generation rate. 
To understand why, let us consider the proof of Theorem [3] 
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together with Eq. i34i . They tell us that in order to bring 
the QER down to less than e after k rounds of LOCC2 EP, 
Alice and Bob have to choose r and hence the number of 
quantum registers needed in PEC to be ~ ec 2 for some 
constant c > 1. In contrast, by randomizing the quantum 
registers, the QER after each application of Steane's seven 
quantum register code is reduced quadratically whenever the 
QER is less than about 5%. Consequently, Alice and Bob may 
increase the key generation rate by performing less rounds 
of LOCC2 EP, choosing e w 0.01, and finally adding a few 
rounds of the Calderbank-Shor-Steane code quantum error 
correction procedure. 

V. Reduction To The Prepare- And-Measure 
Scheme 

Finally, we apply the standard Shor and Preskill proof [22] 
to reduce the EB Scheme A to two provably secure PM 
schemes in this section. Let us first write down the detail 
procedures of Schemes B and C before showing their security. 

PM QKD Scheme B 

1) Alice randomly and independently prepares L 3> 1 
quantum particles in the standard basis. She randomly 
and independently applies a unitary transformation 
T(M) E T[G] to each quantum particle, where G 
equals SL(2, N) or an order (A^ 2 — 1) subgroup of 
SL(2, N) (if it exists). Alice records the states and 
transformations she applied and then sends the states 
to Bob. Bob acknowledges the receipt of these particles 
and then applies a randomly and independently picked 
T(M') -1 to each received particle. Now, Alice and Bob 
publicly reveal the unitary transformations they applied 
to each particle. A particle is kept and is said to be in 
the set Sm if Alice and Bob have applied T(M) and 
T(M)~ 1 to it respectively. Bob measures the particles in 
Sm in the standard basis and records the measurement 
results. 

2) Alice and Bob estimate the channel quantum error 
rate by sacrificing a few particles. Specifically, they 
randomly pick 0([N + 1} 2 log[ \G\/e]/S 2 N 2 ) pairs from 
each of the \G\ sets Sm and publicly reveal the prepara- 
tion and measured states for each of them. In this way, 
they obtain the estimated channel error rate to within 
6 with probability at least (1 — e). If the channel error 
rate is too high, they abort the scheme and start all over 
again. 

3) Alice and Bob perform the following privacy amplifica- 
tion procedure. 

a) They apply the privacy amplification procedure 
with two-way classical communication similar to 
the ones reported in Refs. [24], [25]. Specifically, 
Alice and Bob randomly group their corresponding 
remaining quantum particles in pairs. Suppose the 
jth particle of the ith pair was initially prepared 
in the state |sj ). Then, Alice publicly announces 
the value s, x — Si 2 G GF(N) for each pair 
i. Similarly, Bob publicly announces the value 
s'a — s'a where Is' ) is the measurement result of 



the jth particle in the ith pair. They keep one of 
their corresponding registers of the pair only when 
their announced values of the corresponding pairs 
agree. They repeat the above procedure until there 
is an integer r > such that a single application 
of step |3j> will bring the signal quantum error 
rate of the resultant particles down to ej/£ 2 for 
a fixed security parameter ej > 0, where rl is the 
number of remaining quantum particles they have. 
They abort the scheme either when r is greater 
than the number of remaining quantum particles 
they possess or when they have used up all their 
quantum particles in this procedure, 
b) They apply the majority vote phase error correction 
procedure introduced by Gottesman and Lo [24]. 
Specifically, Alice and Bob randomly divide their 
corresponding resultant particles into sets each 
containing r particles. They replace each set by 
the sum of the values prepared (by Alice) or 
measured (by Bob) of the r particles in the set. 
These replaced values are bits of their final secure 
key string. 

EQB PM QKD Scheme C[2 n , n ns ] 

1) Alice and Bob agree on a bijection mapping GF(2 n ) to 
an n-bit string. Alice prepares L ^> 1 sets; and each set 
contains n qubits that are randomly and independently 
prepared in the standard basis : i E GF(2 n )} 
identified through their mutually agreed bijection. She 
records the state of each set in the form of an n-bit 
string. Then, she randomly and independently applies 
T(M) E T[G] to each set of qubits, where G equals 
C* 3 < SL(2, 2) and SL(2, 2 n ) for n = 1 and n > 1 
respectively. She permutes the n qubits in each set with 
n ns randomly prepared non-signaling qubits and sends 
them to Bob. (In the upcoming analysis, one finds that 
for a fixed n, the tolerable BER of this scheme increases 
with n ns . However, the number of non-signaling qubits 
used is limited by the absence of quantum storage 
capability.) After Bob has received these qubits, Alice 
tells him which of the n qubits belong to a set that will 
be used to generate the key. Bob measures and discards 
the n ns non-signaling qubits and applies a randomly 
and independently picked T{M')~ 1 to each of the n 
qubits in the set that will be used to generate the 
key. Now, Alice and Bob publicly reveal their unitary 
transformations applied to each set. A set is kept and 
is said to be in Sm if Alice and Bob have applied 
T{M) and T(M)~ l to it respectively. Bob records the 
standard basis measurement results identified through 
their mutually agreed on bijection in the form of an 
n-bit string for each set in Sm- At this point, Alice and 
Bob should each have \G\ families of n-bit strings; each 
family contains the prepare state/measurement result of 
qubits in Sm- Moreover, in the absence of noise and 
Eve, the corresponding bit strings in Alice's and Bob's 
hands should agree. 

2) Alice and Bob regard their \G\ families of n-bit strings 
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as states in the standard basis {\i) : i S GF(N)} and 
follow steps |2 and [3] in Scheme B to obtain their secret 
key. 

Note that in Scheme C[2",n ns ] (or Scheme C for short if 
the values of n and n ns are clearly known to the readers), apart 
from the possibly entangled qubits that are used to generate 
the secret key, Alice and Bob have to create and send random 
non-signaling qubits through the insecure channel. The proofs 
of Theorems |4] and [5] below tell us that while the use of 
non-signaling qubits does not change the tolerable BER, it is 
essential for Scheme C to tolerate more drastic eavesdropping 
attacks. 

Theorem 4 (Based on Shor and Preskill [22]): The tolera- 
ble BER of Scheme A in Subsection Illl-BI as well as 
Schemes B and C above are equal. Thus, the conclusion of 
Theorem [3] is also applicable to Schemes B and C. 

Proof: Recall from Ref. [22] that Alice may measure all 
her share of quantum registers right at step [2 in Scheme A 
without affecting the security of the scheme. Besides, LOCC2 
EP and PEC procedures in Scheme A simply permute the 
measurement basis. Also, the final secret key generation does 
not make use of the phase information of the transmitted quan- 
tum registers. Hence, the Shor-Preskill argument in Ref. [22] 
can be applied to Scheme A, giving us equally secure PM 
Schemes B and C. (Note that the introduction of random non- 
signaling qubits does not affect the tolerable BER of Scheme C 
as these qubits are discarded after being measured and are not 
used to generate the secret key.) ■ 



As discussed in Subsection IIV-AI we cannot compare the 
error tolerant capability of Scheme B that uses unentangled 
quantum particles of different dimensions as information car- 
riers. Nonetheless, we can compare the error tolerant capability 
of the EQB PM QKD Scheme C against the same eavesdrop- 
ping attack. 

Theorem 5: For any fixed n, the error tolerant capabil- 
ity of Scheme C[2",n ns ] increases with n ns in the limit 



of a large J2m£SL(2 i n ) \&M I- Besides, in the limits of a 
large X)a/gsl(2 2") \&m\ ar, d a large n ns , the error tolerant 
capability of Scheme C[2",n ns ] increases with n. That is 
to say, for any fixed n and in the limit of a large n ns , 
whenever Scheme C[2",n ns ] generates a provably secure key 
under an eavesdropping attack, so does Scheme C[2™ , n as ] 
under the same attack for any n' > n. Furthermore, there 
is a family of eavesdropping attacks that can be tolerated 
by Scheme C[2 ra ,n ns ]. However, no provably secure key is 
produced in Scheme C[2™,n ns ]. 

Proof: Recall that Alice sends Bob packets of qubits each 
containing n signaling as well as n ns non-signaling qubits and 
that any eavesdropping strategy in Scheme C is equivalent 
to a classical probabilistic cheating strategy. Suppose that the 
channel quantum error rate is q. In other words, the probability 
that a randomly chosen qubit passing through the insecure 
channel is in error equals q. Let q k denote the portion of 
packets that contains exactly k erroneous qubits. Then, q k 's 



satisfy the following three constraints: 

n+n ns 



k=0 



n+n 11; 



kq k = (n + n ns )q, 



fc=0 



and 



< q k < 1 



(41) 



(42) 



(43) 



for k = 0, 1, ... , n+n ns . Clearly, the set of (q , qx, . . . , q n +n as ) 
satisfying the above three constraints is convex. 

Since Eve does not know which qubits are signaling before 
Bob has received them, the QER for the signaling qubits is 
given by 



n+n n . 



k-l 



Qqer 



n + rim — i 



e u-n 

k=l \ i=0 

n+n ns / n— 1 , . N 

El rr n + n„ — K — I , 
I'll II —I- (44) 



k=0 



n + n„. 



We claim that for any g^'s satisfying the three constraints (14-1 i — 
(I43> . <7qer is upper-bounded by 



<7QER < 1 - ( * IT 



n + n m — k — i 
n + n m — i 



(45) 



where gVs are the (unique) solutions of the system of equa- 
tions 

L(n+n„ s )</J+l 

J2 & = 1 < 46 > 

k=\_(n+n„ s )q\ 



and 



[(n+n m )q\+l 

^ kq k = (n + n ns ) q- 

fe=L(n+rans)gJ 



(47) 



In other words, we claim that among all strategies that cause 
a channel quantum error rate q, the one that causes either 
L(n + n n!l )q\ or [(n + n ns )q\ + 1 erroneous qubits in each 
packet produces the highest QER in the signaling qubits. 
To show the validity of our claim, we rewrite Eq. J44i as 



<Zqer 



L(«+™„ S )«J+1 / n-l , 

1 - L Ml 

fc=L(n+n ns )gJ V 
n+rtns / n—l 



E KIT 



fe=0 




n + n. 



(48) 



where Aq k = q k -q k if k = [(n + n ns )q\ or l(n + n ns )q\ +1, 
and Aq k = q k otherwise. Since the set of {qo , ■ ■ ■ , q n +n m ) 
satisfying Eqs. J41I — d43i is convex, the claim is valid if we 
can show that the last term in Eq. j48t is non-positive for all 
Aq k s satisfying Y, k Aq k = J2 k k A<?fc = and Aqj > 
whenever j = |_(n + n ns )q\ or |_(n + n ns )q\ + 1. 

There are three cases to consider. The first case is that 
Aq k > for all k. Clearly, this is possible only if Aq k = 
for all k. So in this case, the last term in Eq. J48i equals 0. 
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The second case is that exactly one Aq k < 0. Without lost 
of generality, we may assume that the one is Aq\ ( n +n m )q\ ■ Ob- 
serve that one can tune Aj's to make the auxiliary real-valued 
function £ in the equation below two times differentiable and 

£" > in (0,n + n m ): 



Y[T(n 



k — i + 1) if < k < n n 



i=0 



m = 



i=0 



if n ns < k < n ns + 1, 



if k > n„ 



(49) 

Consequently, such a £(fc) is a convex function in the interval 



[0/, 



ns ]. Since Efc^i gj A * = ~ A| ?L(«+' 



> 0, 



the convexity of £ implies that the last term in Eq. J48l > is 
non-positive. 

The last case is that exactly two Aqk < 0, namely, for k = 
[{n + n ns )q\ and [(n+n BS )q\ +1. In this situation, ^ fe Aqk — 
J2k k Aqk = demands that there exist Aqk ± , Aqk 2 > 
for some fci < [(n + n ns )q\ and fc 2 > [(n + n IK )q\ + 1. 
Consequently, we may define Aq'j = Aq'j = for j = [(n + 
n ns )gj and l(n+n ns )q\ +1 and decompose Aqk as Aq' k + Aq' k ' 
for all k 7^ [(n + n m )q\ , \_(n + n nii }q\ + 1 in such a way that 



Aq' k , Aq'l > for all k and J2 k A l'k 



1n s )?J 



and 



J2k A l'k = ~ A 1l{n+n ns )q\+i- By means of this decomposition 
and the convexity of the function £, we conclude that the last 
term in Eq. J48i is non-positive. Hence, the claim in Eq. (145 \ 
is valid. 

From Eqs. (I45I>-(I47I>. it is easy to check that for a fixed 
n, tolerable BER of Scheme C[2™,n ns ] increases with n ns . 
Combining with Eq. d39l and Table |ll| we conclude that 
for n = 2, q w 1.5 x 0.2764 and q QER < 1.25 x 0.5340, 
n m > 23. Thus, Scheme C[4,n ns ] generates a provably secure 
key when the channel bit error rate is slightly higher than 
27.64% provided that n ns > 23. Thus, this scheme is more 
error-resistant than any UQB QKD scheme known to date. 

Note that as n ns — > oo, the right hand side of Eq. (145 ) 
becomes 1 — (1 — q) n . (A simple way to argue why this is 
the case is to observe that in the limit of a large number of 
random non-signaling qubits used, Eve can do no better than 
guessing which of the n qubits in a packet are used to generate 
the secret key when these qubits are traveling in the insecure 
channel.) As the Pauli signal quantum error is depolarized, 
Lemma |3] demands that the error rates caused by this classical 
probabilistic strategy are given by 



dab 



(i- q r 

i-(i- q y 



if a = b = 0, 



otherwise. 



(50) 



2 2n _ 1 

From Eq. J40i . the final key is provably secure provided that 
the probability q satisfies 



q < qcrit(n) = 1 - 



1 



(1 + V5)2 2 "-(V5-1) 
2(2 2 ™ + 2»- 1) 



i i/r. 



(51) 



Since g cr i t (n) is a strictly increasing function of n, we conclude 
that the error tolerant capability of Scheme C[2™, n ns ] strictly 
increases with increasing n in the limit of large n ns . Hence, 
this theorem is proved. ■ 

Since the most error-resistant UQB PM scheme known 
to date is the one offered by Chau in Ref. [25] (which 
is also equivalent to Scheme C[2, 0]), the above theorem 
clearly shows the advantage of using entangled qubits as 
information carriers provided that Alice and Bob can transmit 
a large number of qubits without requiring quantum storage. 
Specifically, no UQB PM scheme to date can generate a 
provably secure key if Eve randomly causes an error to a qubit 
in the insecure quantum channel with probability q satisfying 
0.4146 w q cli t(l) < q < 9crit(2) « 0.4234. In contrast, 
Scheme C[2", n ns ] tolerates such an attack for any n > 2 
and for a sufficiently large n ns depending on n. 

We emphasize that the use of random non-signaling qubits 
is vital in the proof of Theorem|5] Otherwise, Eve may cause 
100% signal quantum error in Scheme C[2™, n ns ] by creating 
an X error to every one out of n consecutive qubits that passes 
through the insecure quantum channel. However, we also have 
to stress that the presence of non-signaling qubits lowers the 
key generation rate of Scheme C. In the absence of quantum 
storage, the number of non-signaling qubits per packet n ns 
is limited by the decoherence time of qubits and the qubit 
transmission rate in the channel. The proof of Theorem|5]tells 
us that for n = 2, Alice and Bob need to use n ns = 23 
in order to generate a provably secure key at a channel 
BER slightly higher than that which can be tolerated by all 
UQB QKD schemes known to date. Clearly, Scheme C[4, 23] 
generates a key at a rate 8% that of Scheme C[2, 0]. Moreover, 
manipulating a packet of 25 qubits in the absence of quantum 
storage in Scheme C[4, 23] is challenging. 

Now, we discuss the number of different kinds of states 
Alice and Bob have to prepare and measure in Schemes B 
and C. 

Theorem 6: Suppose Alice and Bob follow Schemes B or C 
with G = SL(2, N), so that they prepare and measure in 
N(N + 1) bases (and hence N 2 (N + 1) different states). If 
they choose G to be an order (./V 2 — 1) subgroup of SL(2, N) 
instead, they need to prepare and measure in (N + 1) different 
bases (and hence N(N + 1) states). 

Proof: Case (1): G = SL(2,N). Let G' be the 
subgroup {diag(a,a- 1 ) : a € GF(N)*} of SL(2,N). 
Let g,g' G G' and h G SL{2,N). From Eqs. 
^\T{gh)- l T{g'h)\i/) - uf^' k) (i\T{gh)^T{g'h)Z k \i') 
= uf^V(i\Z kp -,T{gh)^T{g>h)\i>) = u7; {[ ^' ]k) 
{i\T(ghY 1 T{g'h)\i l ) for all k G GF(N), where g'g = 
diagCS,/?- 1 ). Therefore, {i\T{gh)- 1 T{g'h)\i') = if i ^ i'(3. 
In other words, the bases {T(gh)\i) : i G GF(N)} and 
{T(g'h)\i) : i G GF(N)} are the same. Consequently, if 
Alice and Bob choose G = SL(2, N) in Schemes B and C, 
they need to prepare and measure in N(N 2 — 1)/(N — 1) = 
N(N + 1) bases (and hence N 2 (N + 1) different states). 

Case (2): N = 2 and G is the order 3 subgroup of SL(2, 2). 
Theorem[8]in the Appendix tells us that G is unique. It is clear 
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that, in this case, Alice and Bob need to prepare and measure 
their quantum states in three different bases. 

Case (3): N > 2 and G is the order (N 2 - 1) subgroup 
of SL(2,N). Theorem [8] in the Appendix implies that N = 
3,5,7,11. Besides, G contains an order (N — 1) subgroup 
H' in the form {p- 1 diag(a,a- 1 )P : a € GF (N)*} for 
some P G SL(2,N). Recall from Subsection IIII-AI that 
T : SL(2,N) — ► U(N) in this case is a transposed 
representation. Hence, from Eq. {7}, (i\T(gh)~ 1 T(g'h)\i'} 
= {i\T{g'g^W) = (zlTXdiag^r 1 ))!*') = W 0' 1 ) for 
some 6 GF(N)*. Hence, Alice and Bob need to prepare 
and measure in (TV 2 — 1)/(N — 1) = N + 1 different bases 
(and hence N(N + 1) states). ■ 

Since the maximum number of mutually unbiased bases 
equals (N + 1) for any prime power N [32], [33], [34], 
Scheme B shows that certain PM QKD schemes not using 
mutually unbiased bases can be more error-tolerant. 

VI. Discussions 

In summary, we have introduced two PM QKD schemes 
(Schemes B and C) based on depolarization of Pauli errors and 
proved their unconditional security. In particular, we showed 
that for a sufficiently large Hilbert space dimension of quantum 
particles N used, Scheme B generates a provably secure key 
close to 100% SBMER or 50% BER. This result demon- 
strates the advantages of using unentangled higher dimensional 
quantum particles as signal carriers as well as depolarizing 
Pauli errors in QKD. It also shows that, for N > 2, the 
use of certain non-mutually unbiased bases increases the error 
tolerance capability of QKD. In addition, Scheme C shows 
that the ability to create and transfer, but not to store entangled 
qubits is advantageous in quantum cryptography. 

There is a tradeoff between the error tolerance rate and 
key generation efficiency, however. It is clear from the proof 
of Theorem [3] that r, and hence the number L of quantum 
particles transferred from Alice and Bob, scales as 2 k . Besides, 
the probability that the measurement results agree and hence 
the control quantum register pairs are kept in LOCC2 EP 
equals ~ 1/N in the worst case. As a result, while Schemes B 
and C are highly error-tolerant, they generate a secret key 
with exponentially small efficiency in the worst case scenario. 
Fortunately, the adaptive nature of Schemes B and C makes 
sure that this scenario will not happen when the error rate 
of the channel is small. To conclude, in most practical situa- 
tions, Alice and Bob should choose the smallest possible N 
whose corresponding e SBMER is slightly larger than the channel 
standard basis measurement error rate. In this way, they can 
generate their provably secure key at the highest possible rate. 

Appendix 

This appendix discusses the possibility of depolarizing Pauli 
error using proper subgroups of SL(2, N). The analysis makes 
use of the Dickson theorem [35] on the subgroup classification 
of projective special linear groups over finite fields. The 
version of the Dickson theorem listed below is due to Huppert 
in the Hauptsatz 8.27 in Ref. [36]. 



Theorem 7 (Dickson): Let N = p n . Subgroups of 
PSL(2, N) are isomorphic to one of the following families 
of groups: 

1) Elementary Abelian p-groups; 

2) Cyclic groups C z of order z, where z is a divisor of 
(AT±l)/(iV-l,2) ; 

3) Dihedral groups D z of order 2z, where z is as defined 
in 

4) Alternating group A4 (this can occur only for p > 2 or 
when p = 2 and n = mod 2); 

5) Symmetric group S4 (this can occur only if N 2 
1 mod 16); 

6) Alternating group A 5 (this can occur only if p = 5 or 
N 2 ee 1 mod 5); 

7) A semidirect product of an elementary Abelian group of 
order p m with a cyclic group of order t, where t is a 
divisor of (p m - 1,7V- 1); 

8) The group PSL(2,p m ) for m a divisor of n, or the 
group PGL(2,p m ) for 2m a divisor of n. 

In addition to the Dickson theorem, the following lemma is 
also needed. 



Lemma 7: If N is odd, 
whose order is 2. 

Let M = 



-I is the only element in SL(2, N) 



Proof: 
SL(2,N) 

„2 



be an order 2 element in 



a 
5 7 

M 2 = I implies 0{a + 7) = S(a + 7) = and 
a' + (35 = 1. If a + 7 = 0, detM = -a 2 - 06 = 1 is 
consistent with a 2 + 08 = 1 only if N is even. So, a + 7 
must be equal to 0. Hence, = 7 = and M — ±1. As N 
is odd, —I is the only order 2 element in SL(2, N). ■ 

We examine the possibility of using a smaller group to 
depolarize Pauli error in step Specifically, we look for 
subgroups H of SL(2, N) to do the job. Clearly, the order 
of the subgroup H must be a multiple of (N 2 — 1). 

Theorem 8: Proper subgroups H of SL(2, N) satisfying 
(TV 2 - 1) I \H\ exist only for N = 2,3,5,7,11 and \H\ = 
N 2 -1. Specifically, 

1) When N — 2, H = C3. Moreover, this subgroup is 
unique and is generated by one element. In fact, H 
"01"'" 



1 1 j( 

2) When N = 3, H = Qg. Moreover, this subgroup is 
unique and is generated by two elements. In fact, H = 



1 
1 

3) When 



1 

2 

N = 



1 2 

2 2 

5, Hf(±I} = 



A4. Moreover, H is 
generated by two elements. One possible choice of H 

" "is)- 

4) When N = 7, H/{±I\ ^ S A . Moreover, H is gen- 
erated by two elements. One possible choice of H is 



" 2 


" 







3 


■ 




= A5. Moreover, H is 
generated by two elements. One possible choice of H 



is 



"20" 




' 1 


1 " 


6 




1 


2 
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and Mfi, the order 3 subgroup 



Furthermore, \{M G H : M[a b}* = [c = 1 for 

all [a b],[c d] ^ [0 0]. Thus, replacing SL(2,N) by H in 
Scheme A also depolarizes Pauli errors. 

Proof: From the Dickson theorem, it follows that 
SL(2, N) does not contain a proper subgroup H whose order 
divides (A 2 - 1) if N ^ 2, 3, 5, 7, 11. Moreover, if H exists 
for N = 2, 3, 5, 7, 11, = A 2 - 1. In what follows, we are 
going to show that such H indeed exist for N — 2,3, 5, 7, 11. 

Case (1): When N — 2, the Dickson theorem implies that 
if H exists, H = C 3 . Since the only order 3 elements of 

51,(2, 2) are M 21 = J J 

i? of SL(2, 2) exists and is unique. An explicit expression for 
T(Af2i) is given in Table|l]for reference. 

Case (2): When N = 3, the Dickson theorem implies that if 
H exists, H/{±I} = D 2 — C2 x C2. i? cannot be Abelian as 
H would then be isomorphic to C 2 X C 2 x C 2 , contradicting 
Lemma [7] Since H is a non-Abelian group of order 8, 
is generated by two elements. By Lemma and the proof of 
Proposition 6.3 in Ref. [37], we conclude that the two elements 
generating H are both of order 4. Hence, H = Qg. Note that 

the only order 4 elements of SL(2, 3) are M 31 = j ^ 
12" 



-Mai, M : 



:i2 



2 2 



-M 32 , M 3 iM 32 and M 32 M 31 . 

subgroup 



Therefore, (M31, M 32 ) is'the only order (N 2 - 1 
of SL(2, 3). Explicit expressions for T(Msi) and T(M 3 2) are 
given in Table [I] for reference. 

Case (3): When N — 5, the Dickson theorem implies that 
if H exists, H/{±I} ^ A A or D 6 . Satz 8.13 in Ref. [36] 
says that PSL(2,5) = A5. Hence, the only possibility is 
that H/{±I} = A4. Since A4 can be generated by two 
elements, one of order 2 and the other of order 3, H/{±I} = 
(M 51 /{±I},M 52 /{±I}) for some M 51 ,M 52 G SL{2,5) 
provided that H exists. Moreover M^i/{zLI} and M^ 2 /{±I} 
are of order 2 and 3, respectively. We may assume that M| 2 = 
—I, for otherwise replace M52 by — M52. Consequently, the 
subgroup if it exists, is equal to (— I, Ms^Afe) = 
(M51, M52). Thus, iJ can be generated by two elements in 
SL(2, 5). From Lemma[7] the order of A/51 is equal to 4. By 
explicit search, H exists but is not unique. One possible H is 



Case (4): When N = 7, the Dickson theorem implies that 
if H exists, H/{±I} = S4. Since S4 is generated by two 
elements, namely (1234) and (123), the subgroup H/{±I}, 
if it exists, equals (Mti/{±I}, M7 2 /{±I}). Moreover, using 
the same argument as in the proof of case (3), we may 
choose M$ x = ±1 and M$ 2 = -I- Hence, H, if it 
exists, is equal to (— /, M71, M-j 2 ) = (M71, M^}. By an 
explicit search, H exists but is not unique. One possible H is 



Case (5): When N = 11, the Dickson theorem implies that 
if H exists, H/{±I} = A5. Since A5 is generated by two 
elements, namely (12345) and (123), using the same argument 
as in the proof of cases (3) and (4), we conclude that H, if it 
exists, can be generated by two elements. An explicit search 
tells us that H exists but not unique, and one possible H is 



"2 " 




" 1 1 " 


6 




1 2 


To show that \{M 



H : M[a b] 1 = [c d\*}\ = 1 
for all [a b],[c d) 7^ [0 0], we observe from our dis- 
cussion of the structure of H above, that H contains an 
order (N - 1) proper subgroup H'. Since H' < SL(2,N), 
H' = {P- 1 diag(a,a" 1 )P : a G GF(N)*} for some P G 
SL{2,N). As all order (A^ 2 - 1) subgroups of SL(2, N) are 
conjugate to each other, it suffices to show the validity for 



/. As N\\H\ = 

a (3 
a" ] 



P 

of the form 



N 2 



1, H does not contain elements 







a 



Therefore, for any M 

\{H'MH'}\ = 



a 
6 



7 



for some /3 7^ 0. 
G SL(2,N), 



\{M'MM" : M',M" G H'}\ 
N - 1 if a = or 5 = 0, 
l) 2 



(N- 



(52) 



Also, the first column of matrices in H'MH' are all distinct. 
Since \H\ = N 2 — 1, Eq. (I52> requires that the first columns 
of the matrices in H are all distinct. Hence, \{M G H : 
M[a 6]* = [c = 1 for all [a 6], [c rf] ^[0 0]. Combining 
with the fact that H' is a group, Scheme A depolarizes Pauli 
errors. ■ 
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